Author: Corey Neskey, CISSP | cneskey@protonmail.com | https://github.com/cneskey | https://linkedin.com/in/cneskey | @cneskey
gCommentaryF$Background
| Included | Excluded | Included | Excluded | Included | Excluded | Included | Excluded | Included | Excluded |
|---|---|---|---|---|---|---|---|---|---|
| Non Public Information (NPI) | Other | Subnet Neighbors on Oak-Net | DerpCorp AD Systems | privileged insiders (DerpCorp & Vendors) | deliberately | Mechanical | confidentiality | ||
| ServerGaugeMgmt Server on Oak-Net | DerpCorp SMTP Systems | non-privileged insiders (DerpCorp & Vendors) | accidentally | Process Failure | integrity | ||||
| ServerGaugeReport Server on Oak-Net | DerpCorp Networking and FW Systems | malicious software | Natural | availability | |||||
| ServerGaugeIndex Server on Oak-Net | DerpCorp Vulnerability Scanner Systems | external attackers | |||||||
| ServerGaugeMonitor Server on Oak-Net | DerpCorp Vendor Access | ||||||||
| ServerGaugeSQL Server on Oak-Net | DerpCorp Replicated DR Equivalent Systems | ||||||||
| DerpCorp hypervisor Server on Oak-Net | DerpCorp Backup Systems | ||||||||
| DerpCorp sysadmin jump stations on Oak-Net | DerpCorp DFS Systems | ||||||||
| Monitored servers on Maple-Net | DerpCorp Endpoint Security Management Server | ||||||||
| Monitored servers on Birch-Net | DerpCorp Endpoint Management Server |
Plan A Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $398,331 | $796,662 | $1,194,993 |
| Costs | $57,998 | $64,182 | $70,366 |
| Loss | $431,349 | $862,698 | $1,294,046 |
| Mitigation Costs | $0 | $0 | $0 |
| Prevented Loss | $0 | $0 | $0 |
| Net | -$91,015 | -$522,364 | -$953,713 |
Plan B Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $398,331 | $796,662 | $1,194,993 |
| Costs | $57,998 | $64,182 | $70,366 |
| Loss | $339,040 | $678,080 | $1,017,120 |
| Mitigation Costs | $2,229 | $2,229 | $2,229 |
| Prevented Loss | $92,309 | $184,617 | $276,926 |
| Net | $91,372 | -$155,359 | -$679,017 |
Plan C Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $398,331 | $796,662 | $1,194,993 |
| Costs | $57,998 | $64,182 | $70,366 |
| Loss | $250,357 | $500,714 | $751,071 |
| Mitigation Costs | $40,864 | $40,864 | $40,864 |
| Prevented Loss | $180,992 | $361,984 | $542,975 |
| Net | $230,104 | $160,739 | -$717,652 |
Given the net value after factoring in known initial and recurring costs of this project as well as the project’s known benefits, potential losses due to risks, and control mitigation costs, Derp Corp can expect to realize profit after 2 years of use of this solution provided plan B controls are implemented.
| Benefit UID | Benefit Event | Benefits Probability | Benefits Lower Bound | Benefits Most Likely | Benefits Upper Bound | Benefits Rationale | Benefits Recurring_Ben |
|---|---|---|---|---|---|---|---|
| benefit-1 | System performance monitoring and alerting to prevent outages where possible and reduce outage duration. | 90% | $63,477 | $182,292 | $1,718,750 | LowEnd = .5 hrs of outages for 2k employees making 75k+30%bens, MostLikely = 1 hrs of outages 1.5k emps making 100k+30%bens, HighEnd = 4 hrs outages 3k emps making 300k+30%bens, | TRUE |
| benefit-2 | Remote command execution via performance agent. | 50% | $30 | $2,000 | $200,000 | Assumes Upper Bound is cost of one FTE. Not part of original use-case but may be used. | TRUE |
| Known Costs UID | Known Cost Event | Known Costs Lower Bound | Known Costs Most Likely | Known Costs Upper Bound | Known Costs Rationale | Known Costs Recurring Expense |
|---|---|---|---|---|---|---|
| cost-1 | Product (ServerGauge) direct purchase costs | $19,790 | $19,790 | $19,790 | Actual Contract | FALSE |
| cost-2 | Product (ServerGauge) support and pro services | $0 | $0 | $0 | No Pro Services | FALSE |
| cost-3 | Internal setup and testing | $1,500 | $24,000 | $72,000 | Wage-based - Sys Engineer x 2 - 1-12 week, ML 4 weeks | FALSE |
| cost-4 | Internal initial security review | $1,500 | $2,800 | $5,600 | Wage-based - Security Analyst x 1 | FALSE |
| cost-5 | Ongoing maintenance and systems administration | $1,500 | $3,000 | $24,000 | Wage-based - Sys Engineer x 1 - 1 to 8 weeks ML 2 | TRUE |
| UID | Assets at risk | Containers/Points of attack | Threat communities | Threat Types | Effects | Scenario |
|---|---|---|---|---|---|---|
| Risk-1 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-2 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-3 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-4 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-5 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-6 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-7 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-8 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-9 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-10 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-11 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-12 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-13 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-14 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-15 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-16 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-17 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-18 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-19 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-20 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-21 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-22 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-23 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-24 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-25 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-26 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-27 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-28 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-29 | Non Public Information (NPI) | Monitored servers on Maple-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-30 | Non Public Information (NPI) | Monitored servers on Birch-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-31 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-32 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-33 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-34 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-35 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-36 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-37 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-38 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-39 | Non Public Information (NPI) | Monitored servers on Maple-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-40 | Non Public Information (NPI) | Monitored servers on Birch-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-41 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-42 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-43 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-44 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-45 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-46 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-47 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-48 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-49 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-50 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-51 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-52 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-53 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-54 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-55 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-56 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-57 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-58 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-59 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-60 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-61 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-62 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-63 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-64 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-65 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-66 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-67 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-68 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-69 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-70 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-71 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-72 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-73 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-74 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-75 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-76 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-77 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-78 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-79 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-80 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-81 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-82 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-83 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-84 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-85 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-86 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-87 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-88 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-89 | Non Public Information (NPI) | Monitored servers on Maple-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-90 | Non Public Information (NPI) | Monitored servers on Birch-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-91 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-92 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-93 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-94 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-95 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-96 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-97 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-98 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-99 | Non Public Information (NPI) | Monitored servers on Maple-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-100 | Non Public Information (NPI) | Monitored servers on Birch-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-101 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-102 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-103 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-104 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-105 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-106 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-107 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-108 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-109 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-110 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-111 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-112 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-113 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-114 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-115 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-116 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-117 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-118 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-119 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-120 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-121 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-122 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-123 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-124 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-125 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-126 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-127 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-128 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-129 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-130 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-131 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-132 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-133 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-134 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-135 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-136 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-137 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-138 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-139 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-140 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-141 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-142 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-143 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-144 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-145 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-146 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-147 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-148 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-149 | Non Public Information (NPI) | Monitored servers on Maple-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-150 | Non Public Information (NPI) | Monitored servers on Birch-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-151 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-152 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-153 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-154 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-155 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-156 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-157 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-158 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-159 | Non Public Information (NPI) | Monitored servers on Maple-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-160 | Non Public Information (NPI) | Monitored servers on Birch-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-161 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-162 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-163 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-164 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-165 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-166 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-167 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-168 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-169 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-170 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-171 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-172 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-173 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-174 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-175 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-176 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-177 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-178 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-179 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-180 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
ECDF…
Density…
Violin…
Swarm…
Box…
Ridge
Methodology Criteria
A risk analysis should meet local, city, state, federal, and international compliance criteria and yield a corresponding risk assessment report. The criteria and objective of this analysis is as follows:
Methodology Standardization & Interoperability
The taxonomy chosen is based on Open Group’s Factor Analysis of Information Risk (FAIR) standard, an open and independent information risk analysis methodology. This ensures transparency, continuity, and interoperability with other major standards.
The Open Group is an industry consortium that facilitates business objectives by developing open, vendor-neutral technology standards and certifications.The Open Group published two Open FAIR standards that form the risk taxonomy followed:
Open Risk Taxonomy Technical Standard (O-RT). This standard defines a standard taxonomy of terms, definitions, and relationships used in risk analysis.
Open Risk Analysis Technical Standard (O-RA). This standard describes process aspects associated with performing effective risk analysis.
The FAIR Institute maintains publicly available documentation, resources, community events and other modes of promotion, training, and collaboration.
Deviations from Standard
The methodology used for this assessment deviates from published standards where those standards deviate from scientifically rigorous literature that meets the following criteria:
An annotated review of the scientific literature supporting each component of this methodology may be found here.
Methodology
Scope definition, estimate parameters and commentary are collected using a format comfortable to most users, a spreadsheet. A companion spreadsheet is provided with this tool which is interoperable with major spreadsheet rendering software such as Microsoft Office Excel and Google Sheets. The only variable that needs to be entered into this tool is the address or filepath to the companion spreadsheet containing the scope components, estimate parameters, and desired commentary.
companion spreadsheet opened in Google Sheets.
companion spreadsheet opened in Microsoft Excel.
Data is collected in the form of interviews, documentation review, and/or receptor-based discovery scanning in order to define the scope of the assessment. Abstractions of the components within scope are categorized into areas: Assets, Containers / Points of Attack, Agent / Threat Communities, Threat Types, and Threat Effects.
NOTICE: Each column is an independent list. i.e. the contents of rows do not relate to each other.
Scenario Building
Loss scenarios are generated by exhausting all combinations of the components identified as in scope. Implausible scenarios are removed e.g. non-malicious malware. Scenario components are strung together to form the respective scenario.
Parameter Definition
Probability and impact parameters are defined from the integration of data and calibrated subject matter experts for each of the loss scenarios. Predefined distribution parameters and/or hyper-parameters of a loss event are used where they are available and credible.
To take advantage of a person’s natural Bayesian tendencies, calibration questions and responses take the form of frequency formats instead of percentages or fractions.
Frequency formats communicate information to experts in a form that more closely resembles the natural sampling observed in animal foraging and neural networks. What is 1% in standard format would be “10 in 100” in frequency format.
Control Planning
This risk assessment tool facilitates the comparison of different combinations of controls that may reduce the probability, impact, or uncertainty of loss events. The tool calls the first theoretical combination of loss events and controls “Plan-A”. Plan-A represents the absence of any controls in order to establish a baseline or “inherent risk”. Plan-B is the second combination of controls. This is where analysts may list controls that are in place and additional controls that they are considering implementing. Plan C is where the analyst would enter an alternative set or combination of controls which require comparison.
After controls have been entered as column headers under “Controls” the check boxes are used to indicate which loss scenarios that control effects.
e.g. The “Malware scans nightly” control is an applicable control to the Threat Community entries that contain “malicious software”.
Simulation
Monte Carlo Simulation is used to generate a dataset using the parameters provided. The simulations consist of at least 10,000 variations of each loss scenario.
Analysis
The resulting approximating dataset is then analyzed using appropriate statistical methodologies.
Reporting / Communication
Background and scope may be communicated alone or alongside visuals by entering the desired text into the respective sections in the Commentary tab of the spreadsheet.
After analysis has concluded, conclusions and recommendations may also be communicated alone or alongside visuals by entering the desired text into the respective sections of the Commentary tab of the companion spreadsheet.
Table of Contents to sections here - Todo []
Exective Summary
Recommendation
It is recommended that Derp Corp proceed with control Plan B to mitigate risk associated with introducing ServGauge to Derp Corp’s server infrastructure.
Next Steps
Director Bobson has requested that Derp Corp’s IT personnel provide the analyst with the following information after review of this report. 1. changes to scope as defined in the Scope section of this report. 2. controls from 3. Recommendations section that will be implemented
Overview
Scope
| Included | Excluded | Included | Excluded | Included | Excluded | Included | Excluded | Included | Excluded |
|---|---|---|---|---|---|---|---|---|---|
| Non Public Information (NPI) | Other | Subnet Neighbors on Oak-Net | DerpCorp AD Systems | privileged insiders (DerpCorp & Vendors) | deliberately | Mechanical | confidentiality | ||
| ServerGaugeMgmt Server on Oak-Net | DerpCorp SMTP Systems | non-privileged insiders (DerpCorp & Vendors) | accidentally | Process Failure | integrity | ||||
| ServerGaugeReport Server on Oak-Net | DerpCorp Networking and FW Systems | malicious software | Natural | availability | |||||
| ServerGaugeIndex Server on Oak-Net | DerpCorp Vulnerability Scanner Systems | external attackers | |||||||
| ServerGaugeMonitor Server on Oak-Net | DerpCorp Vendor Access | ||||||||
| ServerGaugeSQL Server on Oak-Net | DerpCorp Replicated DR Equivalent Systems | ||||||||
| DerpCorp hypervisor Server on Oak-Net | DerpCorp Backup Systems | ||||||||
| DerpCorp sysadmin jump stations on Oak-Net | DerpCorp DFS Systems | ||||||||
| Monitored servers on Maple-Net | DerpCorp Endpoint Security Management Server | ||||||||
| Monitored servers on Birch-Net | DerpCorp Endpoint Management Server |
Analysis
Projection The net value after factoring in costs, benefits, losses, and mitigation costs over 1 year, 2 year, and 3 years.
Given the net value after factoring in known initial and recurring costs of this project as well as the project’s known benefits, potential losses due to risks, and control mitigation costs, Derp Corp can expect to realize profit after 2 years of use of this solution provided plan B controls are implemented.
Plan A Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $398,331 | $796,662 | $1,194,993 |
| Costs | $57,998 | $64,182 | $70,366 |
| Loss | $431,349 | $862,698 | $1,294,046 |
| Mitigation Costs | $0 | $0 | $0 |
| Prevented Loss | $0 | $0 | $0 |
| Net | -$91,015 | -$522,364 | -$953,713 |
Plan B Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $398,331 | $796,662 | $1,194,993 |
| Costs | $57,998 | $64,182 | $70,366 |
| Loss | $339,040 | $678,080 | $1,017,120 |
| Mitigation Costs | $2,229 | $2,229 | $2,229 |
| Prevented Loss | $92,309 | $184,617 | $276,926 |
| Net | $91,372 | -$155,359 | -$679,017 |
Plan C Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $398,331 | $796,662 | $1,194,993 |
| Costs | $57,998 | $64,182 | $70,366 |
| Loss | $250,357 | $500,714 | $751,071 |
| Mitigation Costs | $40,864 | $40,864 | $40,864 |
| Prevented Loss | $180,992 | $361,984 | $542,975 |
| Net | $230,104 | $160,739 | -$717,652 |
Benefits Parameters provided by experts to approximate benefits of this project
| Benefit UID | Benefit Event | Benefits Probability | Benefits Lower Bound | Benefits Most Likely | Benefits Upper Bound | Benefits Rationale | Benefits Recurring_Ben |
|---|---|---|---|---|---|---|---|
| benefit-1 | System performance monitoring and alerting to prevent outages where possible and reduce outage duration. | 90% | $63,477 | $182,292 | $1,718,750 | LowEnd = .5 hrs of outages for 2k employees making 75k+30%bens, MostLikely = 1 hrs of outages 1.5k emps making 100k+30%bens, HighEnd = 4 hrs outages 3k emps making 300k+30%bens, | TRUE |
| benefit-2 | Remote command execution via performance agent. | 50% | $30 | $2,000 | $200,000 | Assumes Upper Bound is cost of one FTE. Not part of original use-case but may be used. | TRUE |
Costs Parameters provided by experts to approximate the costs of this project.
| Known Costs UID | Known Cost Event | Known Costs Lower Bound | Known Costs Most Likely | Known Costs Upper Bound | Known Costs Rationale | Known Costs Recurring Expense |
|---|---|---|---|---|---|---|
| cost-1 | Product (ServerGauge) direct purchase costs | $19,790 | $19,790 | $19,790 | Actual Contract | FALSE |
| cost-2 | Product (ServerGauge) support and pro services | $0 | $0 | $0 | No Pro Services | FALSE |
| cost-3 | Internal setup and testing | $1,500 | $24,000 | $72,000 | Wage-based - Sys Engineer x 2 - 1-12 week, ML 4 weeks | FALSE |
| cost-4 | Internal initial security review | $1,500 | $2,800 | $5,600 | Wage-based - Security Analyst x 1 | FALSE |
| cost-5 | Ongoing maintenance and systems administration | $1,500 | $3,000 | $24,000 | Wage-based - Sys Engineer x 1 - 1 to 8 weeks ML 2 | TRUE |
| UID | Assets at risk | Containers/Points of attack | Threat communities | Threat Types | Effects | Scenario |
|---|---|---|---|---|---|---|
| Risk-1 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-2 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-3 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-4 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-5 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-6 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-7 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-8 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-9 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-10 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-11 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-12 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-13 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-14 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-15 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-16 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-17 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-18 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-19 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-20 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | confidentiality | non-privileged insiders (DerpCorp & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-21 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-22 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-23 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-24 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-25 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-26 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-27 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-28 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-29 | Non Public Information (NPI) | Monitored servers on Maple-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-30 | Non Public Information (NPI) | Monitored servers on Birch-Net | malicious software | deliberately | confidentiality | malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-31 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-32 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-33 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-34 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-35 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-36 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-37 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-38 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-39 | Non Public Information (NPI) | Monitored servers on Maple-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-40 | Non Public Information (NPI) | Monitored servers on Birch-Net | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-41 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-42 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-43 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-44 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-45 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-46 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-47 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-48 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-49 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-50 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-51 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-52 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-53 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-54 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-55 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-56 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-57 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-58 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-59 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-60 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | confidentiality | non-privileged insiders (DerpCorp & Vendors) accidentally impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-61 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-62 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-63 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-64 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-65 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-66 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-67 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-68 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-69 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-70 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | deliberately | integrity | privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-71 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-72 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-73 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-74 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-75 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-76 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-77 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-78 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-79 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-80 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | integrity | non-privileged insiders (DerpCorp & Vendors) deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-81 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-82 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-83 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-84 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-85 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-86 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-87 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-88 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-89 | Non Public Information (NPI) | Monitored servers on Maple-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-90 | Non Public Information (NPI) | Monitored servers on Birch-Net | malicious software | deliberately | integrity | malicious software deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-91 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-92 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-93 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-94 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-95 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-96 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-97 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-98 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-99 | Non Public Information (NPI) | Monitored servers on Maple-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-100 | Non Public Information (NPI) | Monitored servers on Birch-Net | external attackers | deliberately | integrity | external attackers deliberately impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-101 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-102 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-103 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-104 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-105 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-106 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-107 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-108 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-109 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-110 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | accidentally | integrity | privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-111 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-112 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-113 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-114 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-115 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-116 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-117 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-118 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-119 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-120 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | integrity | non-privileged insiders (DerpCorp & Vendors) accidentally impact the integrity of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-121 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-122 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-123 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-124 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-125 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-126 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-127 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-128 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-129 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-130 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | deliberately | availability | privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-131 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-132 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-133 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-134 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-135 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-136 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-137 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-138 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-139 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-140 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | deliberately | availability | non-privileged insiders (DerpCorp & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-141 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-142 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-143 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-144 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-145 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-146 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-147 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-148 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-149 | Non Public Information (NPI) | Monitored servers on Maple-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-150 | Non Public Information (NPI) | Monitored servers on Birch-Net | malicious software | deliberately | availability | malicious software deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-151 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-152 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-153 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-154 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-155 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-156 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-157 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-158 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-159 | Non Public Information (NPI) | Monitored servers on Maple-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-160 | Non Public Information (NPI) | Monitored servers on Birch-Net | external attackers | deliberately | availability | external attackers deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-161 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-162 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-163 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-164 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-165 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-166 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-167 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-168 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-169 | Non Public Information (NPI) | Monitored servers on Maple-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-170 | Non Public Information (NPI) | Monitored servers on Birch-Net | privileged insiders (DerpCorp & Vendors) | accidentally | availability | privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
| Risk-171 | Non Public Information (NPI) | Subnet Neighbors on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Subnet Neighbors on Oak-Net. |
| Risk-172 | Non Public Information (NPI) | ServerGaugeMgmt Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeMgmt Server on Oak-Net. |
| Risk-173 | Non Public Information (NPI) | ServerGaugeReport Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeReport Server on Oak-Net. |
| Risk-174 | Non Public Information (NPI) | ServerGaugeIndex Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeIndex Server on Oak-Net. |
| Risk-175 | Non Public Information (NPI) | ServerGaugeMonitor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeMonitor Server on Oak-Net. |
| Risk-176 | Non Public Information (NPI) | ServerGaugeSQL Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through ServerGaugeSQL Server on Oak-Net. |
| Risk-177 | Non Public Information (NPI) | DerpCorp hypervisor Server on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through DerpCorp hypervisor Server on Oak-Net. |
| Risk-178 | Non Public Information (NPI) | DerpCorp sysadmin jump stations on Oak-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through DerpCorp sysadmin jump stations on Oak-Net. |
| Risk-179 | Non Public Information (NPI) | Monitored servers on Maple-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Monitored servers on Maple-Net. |
| Risk-180 | Non Public Information (NPI) | Monitored servers on Birch-Net | non-privileged insiders (DerpCorp & Vendors) | accidentally | availability | non-privileged insiders (DerpCorp & Vendors) accidentally impact the availability of Non Public Information (NPI) through Monitored servers on Birch-Net. |
Appendix B: Assessment Methodology
Methodology Criteria
A risk analysis should meet local, city, state, federal, and international compliance criteria and yield a corresponding risk assessment report. The criteria and objective of this analysis is as follows:
Methodology Standardization & Interoperability
The taxonomy chosen is based on Open Group’s Factor Analysis of Information Risk (FAIR) standard, an open and independent information risk analysis methodology. This ensures transparency, continuity, and interoperability with other major standards.
The Open Group is an industry consortium that facilitates business objectives by developing open, vendor-neutral technology standards and certifications.The Open Group published two Open FAIR standards that form the risk taxonomy followed:
Open Risk Taxonomy Technical Standard (O-RT). This standard defines a standard taxonomy of terms, definitions, and relationships used in risk analysis.
Open Risk Analysis Technical Standard (O-RA). This standard describes process aspects associated with performing effective risk analysis.
The FAIR Institute maintains publicly available documentation, resources, community events and other modes of promotion, training, and collaboration.
Deviations from Standard
The methodology used for this assessment deviates from published standards where those standards deviate from scientifically rigorous literature that meets the following criteria:
An annotated review of the scientific literature supporting each component of this methodology may be found here.
Methodology
Scope definition, estimate parameters and commentary are collected using a format comfortable to most users, a spreadsheet. A companion spreadsheet is provided with this tool which is interoperable with major spreadsheet rendering software such as Microsoft Office Excel and Google Sheets. The only variable that needs to be entered into this tool is the address or filepath to the companion spreadsheet containing the scope components, estimate parameters, and desired commentary.
companion spreadsheet opened in Google Sheets.
companion spreadsheet opened in Microsoft Excel.
Data is collected in the form of interviews, documentation review, and/or receptor-based discovery scanning in order to define the scope of the assessment. Abstractions of the components within scope are categorized into areas: Assets, Containers / Points of Attack, Agent / Threat Communities, Threat Types, and Threat Effects.
NOTICE: Each column is an independent list. i.e. the contents of rows do not relate to each other.
Scenario Building
Loss scenarios are generated by exhausting all combinations of the components identified as in scope. Implausible scenarios are removed e.g. non-malicious malware. Scenario components are strung together to form the respective scenario.
Parameter Definition
Probability and impact parameters are defined from the integration of data and calibrated subject matter experts for each of the loss scenarios. Predefined distribution parameters and/or hyper-parameters of a loss event are used where they are available and credible.
To take advantage of a person’s natural Bayesian tendencies, calibration questions and responses take the form of frequency formats instead of percentages or fractions.
Frequency formats communicate information to experts in a form that more closely resembles the natural sampling observed in animal foraging and neural networks. What is 1% in standard format would be “10 in 100” in frequency format.
Control Planning
This risk assessment tool facilitates the comparison of different combinations of controls that may reduce the probability, impact, or uncertainty of loss events. The tool calls the first theoretical combination of loss events and controls “Plan-A”. Plan-A represents the absence of any controls in order to establish a baseline or “inherent risk”. Plan-B is the second combination of controls. This is where analysts may list controls that are in place and additional controls that they are considering implementing. Plan C is where the analyst would enter an alternative set or combination of controls which require comparison.
After controls have been entered as column headers under “Controls” the check boxes are used to indicate which loss scenarios that control effects.
e.g. The “Malware scans nightly” control is an applicable control to the Threat Community entries that contain “malicious software”.
Simulation
Monte Carlo Simulation is used to generate a dataset using the parameters provided. The simulations consist of at least 10,000 variations of each loss scenario.
Analysis
The resulting approximating dataset is then analyzed using appropriate statistical methodologies.
Reporting / Communication
Background and scope may be communicated alone or alongside visuals by entering the desired text into the respective sections in the Commentary tab of the spreadsheet.
After analysis has concluded, conclusions and recommendations may also be communicated alone or alongside visuals by entering the desired text into the respective sections of the Commentary tab of the companion spreadsheet.